Privacy Policy
Plain-English version: we collect your name, email, and (optionally) phone number to send you the car wash playbook and — only if you tick the boxes — occasional follow-ups. We don't sell your information. Ever.
Last updated: May 3, 2026
1. Who we are
This site (cwplaybook.hedgestone.com) is operated by Hedgestone Business Advisors ("Hedgestone," "we," "us"). Questions? Email info@hedgestone.com.
2. What we collect
When you fill out the playbook download form, we collect:
- Required: your full name and email address.
- Optional: your phone number (only required if you opt in to SMS).
- Automatically: your IP address, browser user-agent, and the page that referred you, for fraud prevention and basic analytics.
- Consent flags: whether you opted in to email marketing, SMS marketing, and the timestamp of your acceptance of this policy.
3. How we use it
To deliver the playbook
Once you submit the form, we redirect you to the playbook and notify our internal team that you requested it. Your email is recorded so we can resend the link if you ask.
Email marketing — only if you opt in
If you tick "Email me future playbooks & deal alerts," we add you to our newsletter (roughly 1–2 emails per month). You can unsubscribe with one click in any email. If you don't tick that box, we won't email you marketing — only the playbook.
SMS marketing — only if you opt in
If you tick "Text me when a high-quality car wash hits the market," we'll send you up to 4 SMS messages per month. Message and data rates may apply. Text STOP to any message to cancel; text HELP for assistance. Your consent to receive marketing texts is not a condition of receiving the playbook.
Fraud and abuse prevention
We use IP address and browser fingerprint to detect bot submissions and rate-limit abuse. This data is never used for advertising and is automatically aged out after 365 days.
We never sell, rent, or trade your personal information to third parties. Your data is used by Hedgestone (and the service providers below) for the purposes described here, and for nothing else.
4. Who we share data with (service providers)
To run this form, we use a small set of trusted vendors who process data on our behalf under written contracts:
- Vercel — hosts this site and processes your form submission. Vercel privacy policy
- Upstash — encrypted Redis storage for your submission record. Upstash privacy
- Resend — sends the internal notification email when you submit. Resend privacy
- ipapi.co — receives only your IP address (for country auto-detection in the phone field). No personal information is sent.
5. How long we keep it
Your record is automatically deleted from our active database 365 days after you submit it, unless you become an active client. You can request earlier deletion at any time (see Section 7).
6. Cookies
This site uses no advertising or tracking cookies. The only cookie we set is an admin session cookie (cwp_admin), used solely by the internal admin dashboard. You will never encounter it as a regular visitor.
7. Your rights
You can, at any time and at no cost:
- Access — request a copy of the data we hold on you.
- Correct — fix anything that's wrong.
- Delete — have your record erased immediately (overrides the 365-day retention).
- Opt out — unsubscribe from email (one click) or text STOP for SMS. Opting out of marketing does not delete your record; use "Delete" for that.
Email info@hedgestone.com with the subject "Privacy request — <your email>" and we'll act within 30 days.
If you are a California resident, you have additional rights under the CCPA/CPRA. We process all such requests through the same contact above.
If you are in the EU/UK, our lawful basis under GDPR Art. 6(1) is your consent (Art. 6(1)(a)) for marketing, and our legitimate interest (Art. 6(1)(f)) in delivering the requested resource.
8. Security
Data is encrypted in transit (HTTPS/TLS) and at rest. The site enforces a strict Content Security Policy, HSTS, X-Frame-Options DENY, and same-origin form posting. Admin access is protected by password + signed JWT in an HttpOnly, Secure, SameSite=Strict cookie.
9. Children
This site is not directed to children under 16, and we do not knowingly collect data from them.
10. Changes to this policy
If we materially change this policy, we will update the "Last updated" date and, where required by law, notify you via email.